Re: [PATCH] docs: kbase/tlscerts: mention dropped 'encryption_key'

On Tue, Aug 5, 2025 at 1:54 PM Daniel P. Berrangé <berrange(a)redhat.com&gt; wrote: > > On Mon, Aug 04, 2025 at 06:31:14PM +0200, Sebastian Mitterle via Devel wrote: > > Older libvirt versions still only work if 'encryption_key' is enabled > > in the server and client certificates. Add a note. > > > > While at it, also add a note that after setting the certificates up, > > the TLS ports need to be restarted because I haven't found a mention > > of it elsewhere. > > Do this bit in a separate patch, since it is logically independant > of the other change. You're right, I was lazy. > > > > > Signed-off-by: Sebastian Mitterle <smitterl(a)redhat.com&gt; > > --- > > docs/kbase/tlscerts.rst | 25 ++++++++++++++++++++----- > > 1 file changed, 20 insertions(+), 5 deletions(-) > > > > diff --git a/docs/kbase/tlscerts.rst b/docs/kbase/tlscerts.rst > > index 215d454998..a1ea4d5f21 100644 > > --- a/docs/kbase/tlscerts.rst > > +++ b/docs/kbase/tlscerts.rst > > @@ -213,6 +213,10 @@ clients to reach the server, both with and without domain name qualifiers. If > > clients are likely to connect to the server by IP address, then one or more > > 'ip_address' fields should also be added. > > > > +Important: If you're running a libvirt version before 11.6.0 you need to also add > > +``encryption_key`` to the template. Previous versions required this. > > Can we expand this > > Important: versions of libvirt before 11.6.0 also required the ``encryption_key`` > flag in the template. This is no longer mandated since it is not applicable for > use with many modern cryptographic algorithms, but it is harmless if present as > it will be ignored. If compatibility with both old and new libvirt versions > is required, then this extra flag must be added when creating the certificate. > > and likewise below I wonder, with this expanded note, would it make sense to remove this from the "Issuing server/client certificates" sections and instead move it up to the previous section "Background to TLS certificates"?